CVE-2024-56946
📋 TL;DR
This vulnerability in Technitium DNS Server allows remote attackers to cause a denial of service by sending specially crafted DNS-over-QUIC requests that trigger unhandled exceptions in listener threads. This permanently stops the server from accepting new DNS-over-QUIC connections. Only systems running Technitium DNS Server with DNS-over-QUIC enabled are affected.
💻 Affected Systems
- Technitium DNS Server
📦 What is this software?
Dnsserver by Technitium
⚠️ Risk & Real-World Impact
Worst Case
DNS-over-QUIC service becomes completely unavailable, requiring server restart to restore functionality. DNS-over-TCP/UDP services continue working.
Likely Case
Attackers disrupt DNS-over-QUIC service availability, causing intermittent DNS resolution failures for clients using this protocol.
If Mitigated
If DNS-over-QUIC is disabled or properly firewalled, impact is limited to potential service degradation rather than complete outage.
🎯 Exploit Status
Attack requires network access to DNS-over-QUIC port (853 by default). No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v13.3
Vendor Advisory: https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-133
Restart Required: Yes
Instructions:
1. Download v13.3 or later from https://github.com/TechnitiumSoftware/DnsServer/releases 2. Stop the DNS server service 3. Install the new version 4. Restart the service
🔧 Temporary Workarounds
Disable DNS-over-QUIC
allTemporarily disable DNS-over-QUIC service until patching is possible
Edit Technitium DNS Server configuration file and set 'dnsOverQuic' to false
Firewall DNS-over-QUIC port
linuxBlock external access to DNS-over-QUIC port (default 853)
iptables -A INPUT -p udp --dport 853 -j DROP
iptables -A INPUT -p tcp --dport 853 -j DROP
🧯 If You Can't Patch
- Disable DNS-over-QUIC in server configuration
- Implement network segmentation to restrict access to DNS-over-QUIC port from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check server version and DNS-over-QUIC configuration statusCheck Version:
Check Technitium DNS Server web interface or configuration file for version numberVerify Fix Applied:
Verify server version is v13.3 or later and test DNS-over-QUIC functionality📡 Detection & Monitoring
Log Indicators:
- Unhandled exception errors in DNS server logs
- DNS-over-QUIC listener thread failures
- Sudden drop in DNS-over-QUIC query volume
Network Indicators:
- Unusual DNS-over-QUIC traffic patterns
- Repeated connection attempts to port 853/UDP
- DNS-over-QUIC service unresponsive while other DNS protocols work
SIEM Query:
source="technitium-dns" AND ("exception" OR "unhandled" OR "listener thread")